Overview

overview

8

Static

static

42ba823acb...59.exe

windows7-x64

8

42ba823acb...59.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    197s
  • max time network
    233s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/11/2022, 15:33

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    42ba823acbe13e69fc97673e873bed6625b6a2d1050630ef88a0e18c232b0459.exe

  • Size

    529KB

  • MD5

    057242616ae4afd984f9df041e47cfc7

  • SHA1

    cc22941490e195b41a4eaac282c4dd292cf9734e

  • SHA256

    42ba823acbe13e69fc97673e873bed6625b6a2d1050630ef88a0e18c232b0459

  • SHA512

    0091537b662ee0f5d601d20e021f04df32e89bdb0fb259fbad3cd62c47dd649d68d1c100dfc0363ce258db2066a065c6db1d4796f0e1e3ed3480c5dbf29b9f6e

  • SSDEEP

    6144:No46tGdytJTDEpULgU8L94jDV9U1woU8LSHP0x8Taj9u:No3N/DEpUE9QDV9U11SR

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 2 IoCs
    installer
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:780
      • C:\Users\Admin\AppData\Local\Temp\42ba823acbe13e69fc97673e873bed6625b6a2d1050630ef88a0e18c232b0459.exe
        "C:\Users\Admin\AppData\Local\Temp\42ba823acbe13e69fc97673e873bed6625b6a2d1050630ef88a0e18c232b0459.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2196
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5056
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1968
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4152
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:100
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:3200
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7966.bat
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:936
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:3300
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            2⤵
              PID:3776
          • C:\Users\Admin\AppData\Local\Temp\42ba823acbe13e69fc97673e873bed6625b6a2d1050630ef88a0e18c232b0459.exe
            "C:\Users\Admin\AppData\Local\Temp\42ba823acbe13e69fc97673e873bed6625b6a2d1050630ef88a0e18c232b0459.exe"
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:112

          Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\$$a7966.bat
                  Filesize

                  722B

                  MD5

                  070970a866381cae9a79ab2df8adf062

                  SHA1

                  dac9d91169b538b695355675c5488aa66603d6f6

                  SHA256

                  401d6e34f2a289dd933d38660a7b19323e78d8bc7646b127765505ee00fcdf60

                  SHA512

                  e0e4a55ed078a5df3d3e75041d3c13b188a07c37eabe102c5be3b3d290ff590e69b9e8441f7c3d6e2fea8099b0a397b60edf13d40a1708bd89a5683bf68ba2aa

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\42ba823acbe13e69fc97673e873bed6625b6a2d1050630ef88a0e18c232b0459.exe
                  Filesize

                  495KB

                  MD5

                  fb33bcc98a626b8e21a676c45fcc8aaa

                  SHA1

                  98e0904a3f4738bb72869b933d2bff914e0d50a6

                  SHA256

                  35b828646910d417350e2b3d109c66ec560cb4163de989892e7180d69aef0607

                  SHA512

                  bf12ca9b631386e4460a9f1fefb550ffe0cbe8a3307b1de1f289c77e4f2cdb1a2eed57e6cda18523a134641a276f3e9f88c90defa4417109ec61a3dd1e830205

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\42ba823acbe13e69fc97673e873bed6625b6a2d1050630ef88a0e18c232b0459.exe.exe
                  Filesize

                  495KB

                  MD5

                  fb33bcc98a626b8e21a676c45fcc8aaa

                  SHA1

                  98e0904a3f4738bb72869b933d2bff914e0d50a6

                  SHA256

                  35b828646910d417350e2b3d109c66ec560cb4163de989892e7180d69aef0607

                  SHA512

                  bf12ca9b631386e4460a9f1fefb550ffe0cbe8a3307b1de1f289c77e4f2cdb1a2eed57e6cda18523a134641a276f3e9f88c90defa4417109ec61a3dd1e830205

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\nshD7F2.tmp\System.dll
                  Filesize

                  10KB

                  MD5

                  05e52213cfa17dee760186462a9645ed

                  SHA1

                  f6d5e82080bbba65db7d54e89250c95af833aae3

                  SHA256

                  d9d3ffa4c7d7a152f435f4777e72aa1b6a6c0555f277e59eedebc587c3b66ba5

                  SHA512

                  586eea0bec6345b437667ce528bc2396427dd444a396456e38046a8962e92a52e7ee62b9f6c97f41bc1fb4a1b3905a302d6f7055e26b84e60709ba3b416ad172

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  65c573d296cf8c969e46eaa32d3c8a87

                  SHA1

                  68fa9e474b26712ab37a320a5610fc4a0794fb13

                  SHA256

                  aec74e528d393e457a9497ea24fb81d37f4e9f94fee680c6f1cbf0f596179f95

                  SHA512

                  781bb8f805a0de7fc4cf6ff4687274c39575c33e4655ba14ab6cfd52dc3a8c349d44756888b884cfafc1b27f1aa1bb887c0a6dc47bf88fe6d7a5b620b2fab5dd

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  65c573d296cf8c969e46eaa32d3c8a87

                  SHA1

                  68fa9e474b26712ab37a320a5610fc4a0794fb13

                  SHA256

                  aec74e528d393e457a9497ea24fb81d37f4e9f94fee680c6f1cbf0f596179f95

                  SHA512

                  781bb8f805a0de7fc4cf6ff4687274c39575c33e4655ba14ab6cfd52dc3a8c349d44756888b884cfafc1b27f1aa1bb887c0a6dc47bf88fe6d7a5b620b2fab5dd

                  Download Submit

                • C:\Windows\rundl132.exe
                  Filesize

                  33KB

                  MD5

                  65c573d296cf8c969e46eaa32d3c8a87

                  SHA1

                  68fa9e474b26712ab37a320a5610fc4a0794fb13

                  SHA256

                  aec74e528d393e457a9497ea24fb81d37f4e9f94fee680c6f1cbf0f596179f95

                  SHA512

                  781bb8f805a0de7fc4cf6ff4687274c39575c33e4655ba14ab6cfd52dc3a8c349d44756888b884cfafc1b27f1aa1bb887c0a6dc47bf88fe6d7a5b620b2fab5dd

                  Download Submit

                • memory/2196-139-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/2196-132-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/4152-144-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/4152-150-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download